Keytartest

ci/image/Dockerfile.nodejs-centos7-fips-test

@@ -31,6 +31,7 @@ RUN chmod +x /usr/local/bin/gosu
 RUN yum -y groupinstall 'Development Tools'
 RUN yum -y install centos-release-scl
 RUN yum -y install devtoolset-8-gcc*
+RUN yum -y install libsecret-devel
 SHELL [ "/usr/bin/scl", "enable", "devtoolset-8"]
 
 # node-fips environment variables

ci/image/Dockerfile.nodejs-centos7-node14-test

@@ -40,6 +40,7 @@ RUN chmod a+x /usr/local/bin/aws
 
 # Development tools + git + zstd + jq + gosu
 RUN yum -y groupinstall "Development Tools" && \
+    yum -y install libsecret-devel && \
     yum -y install zlib-devel && \
     curl -o - https://mirrors.edge.kernel.org/pub/software/scm/git/git-2.26.0.tar.gz | tar xfz - && \
     cd git-2.26.0 && \

lib/agent/ocsp_response_cache.js

@@ -30,7 +30,7 @@ var maxAgeSec = GlobalConfig.getOcspResponseCacheMaxAge();
 Errors.assertInternal(Util.number.isPositiveInteger(sizeLimit));
 Errors.assertInternal(Util.number.isPositiveInteger(maxAgeSec));
 
-const cacheDir = GlobalConfig.mkdirCacheDir();
+const cacheDir = GlobalConfig.mkdirCacheDir(process.env.SF_OCSP_RESPONSE_CACHE_DIR);
 const cacheFileName = path.join(cacheDir, "ocsp_response_cache.json");
 // create a cache to store the responses, dynamically changes in size
 var cache;

lib/authentication/auth_idtoken.js

@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2015-2023 Snowflake Computing Inc. All rights reserved.
+ */
+
+/**
+ * Creates an oauth authenticator.
+ *
+ * @param {String} token
+ *
+ * @returns {Object}
+ * @constructor
+ */
+function auth_idToken(id_token) {
+
+  this.id_token = id_token;
+
+  /**
+   * Update JSON body with token.
+   *
+   * @param {JSON} body
+   *
+   * @returns {null}
+   */
+  this.updateBody = function (body) {
+    body['data']['TOKEN'] = this.id_token;
+  };
+
+  this.resetSecret = function () {
+    this.id_token = null;
+  };
+
+  this.authenticate = async function (authenticator, serviceName, account, username) {
+    return;
+  };
+}
+
+module.exports = auth_idToken;

lib/authentication/authentication.js

@@ -7,13 +7,17 @@ const auth_web = require('./auth_web');
 const auth_keypair = require('./auth_keypair');
 const auth_oauth = require('./auth_oauth');
 const auth_okta = require('./auth_okta');
+const auth_idToken = require('./auth_idtoken');
+const SecureStorage = require('./secureStorage');
 
 const authenticationTypes =
 {
   DEFAULT_AUTHENTICATOR: 'SNOWFLAKE', // default authenticator name
   EXTERNAL_BROWSER_AUTHENTICATOR: 'EXTERNALBROWSER',
   KEY_PAIR_AUTHENTICATOR: 'SNOWFLAKE_JWT',
   OAUTH_AUTHENTICATOR: 'OAUTH',
+  ID_TOKEN_AUTHENTICATOR: 'ID_TOKEN',
+  MFA_TOEKN_AUTHENTICATOR: 'MFA_TOEKN',
 };
 
 exports.authenticationTypes = authenticationTypes;
@@ -73,14 +77,20 @@ exports.getAuthenticator = function getAuthenticator(connectionConfig, httpClien
     return new auth_default(connectionConfig.password);
   } else if (auth === authenticationTypes.EXTERNAL_BROWSER_AUTHENTICATOR) {
     return new auth_web(connectionConfig, httpClient);
-  }
-  if (auth === authenticationTypes.KEY_PAIR_AUTHENTICATOR) {
+  } else if (auth === authenticationTypes.KEY_PAIR_AUTHENTICATOR) {
     return new auth_keypair(connectionConfig.getPrivateKey(),
       connectionConfig.getPrivateKeyPath(),
       connectionConfig.getPrivateKeyPass());
   } else if (auth === authenticationTypes.OAUTH_AUTHENTICATOR) {
     return new auth_oauth(connectionConfig.getToken());
-  } else if (auth.startsWith('HTTPS://')) {
+  }
+  else if (auth === authenticationTypes.ID_TOKEN_AUTHENTICATOR) {
+    return new auth_idToken(SecureStorage.ge);
+  }
+  else if (auth === authenticationTypes.MFA_TOEKN_AUTHENTICATOR) {
+    return;
+  }
+  else if (auth.startsWith('HTTPS://')) {
     return new auth_okta(connectionConfig.password,
       connectionConfig.region,
       connectionConfig.account,

lib/authentication/secureStorage.js

@@ -0,0 +1,50 @@
+
+const path = require('path');
+const GlobalConfig = require('../global_config');
+const Logger = require('../logger');
+const keytar = require('keytar');
+function createCredentialCacheDir() {
+  const cacheDirectory = GlobalConfig.mkdirCacheDir(process.env.SF_TEMPORARY_CREDENTIAL_CACHE_DIR);
+  const credCache = path.join(cacheDirectory, 'temporary_credential.json');
+  Logger.getInstance().info('Cache directory: ', credCache);
+  return credCache;
+}
+
+/**
+ * 
+ * @param {String} host 
+ * @param {String} user 
+ * @param {String} cred_type 
+ * @returns 
+ */
+function buildTemporaryCredentialName(host, user, cred_type) {
+  return `{${host.toUpperCase()}}:{${user.toUpperCase()}}:{SF_NODE_JS_DRIVER}:{${cred_type}}`;
+}
+
+async function writeCredential(host, user, credType, token){
+  if (!token || token == '') {
+    Logger.getInstance().debug('Token is not provided');
+  } else {
+    const result = await keytar.setPassword(host, buildTemporaryCredentialName(host, user, credType), token);
+
+    if (!result){
+      Logger.getInstance().error('Failed to save the credential. Please check whether OS is supporting Local Secure Storage or not.');
+    }
+  }
+}
+
+async function readCredential(host, user, credType) {
+  return await keytar.getPassword(host, buildTemporaryCredentialName(host, user, credType));
+}
+
+async function deleteCredential(host, user, credType) {
+  await keytar.deletePassword(host, buildTemporaryCredentialName(host, user, credType));
+}
+
+module.exports = { 
+  createCredentialCacheDir, 
+  buildTemporaryCredentialName, 
+  writeCredential,
+  readCredential, 
+  deleteCredential 
+};

lib/connection/connection.js

@@ -5,7 +5,7 @@ const { v4: uuidv4 } = require('uuid');
 const Url = require('url');
 const QueryString = require('querystring');
 const GSErrors = require('../constants/gs_errors')
-
+const SecureStorage = require('../authentication/secureStorage');
 var Util = require('../util');
 var Errors = require('../errors');
 var ErrorCodes = Errors.codes;
@@ -330,6 +330,11 @@ function Connection(context)
           // Update JSON body with the authentication values
           auth.updateBody(body);
 
+          if (connectionConfig.getAuthenticator() === Authenticator.awwwuthenticationTypes.EXTERNAL_BROWSER_AUTHENTICATOR &&
+            connectionConfig.getConsentCacheIdToken()) {
+            SecureStorage.writeCredential(connectionConfig.host, connectionConfig.username, 'ID_TOKEN', body['data']['TOKEN']);
+          } 
+
           // Request connection
           services.sf.connect({
             callback: connectCallback(self, callback),

lib/connection/connection_config.js

@@ -51,6 +51,7 @@ const DEFAULT_PARAMS =
   'forceStageBindError',
   'includeRetryReason',
   'disableQueryContextCache',
+  'consentCacheIdToken',
 ];
 
 function consolidateHostAndAccount(options)
@@ -503,6 +504,14 @@ function ConnectionConfig(options, validateCredentials, qaMode, clientInfo)
     includeRetryReason = options.includeRetryReason;
   }
 
+  let consentCacheIdToken = true;
+  if (Util.exists(options.consentCacheIdToken)) {
+    Errors.checkArgumentValid(Util.isBoolean(options.includeRetryReason),
+    ErrorCodes.ERR_CONN_CREATE_INVALID_INCLUDE_RETRY_REASON);
+
+    includeRetryReason = options.includeRetryReason
+  }
+
   /**
    * Returns an object that contains information about the proxy hostname, port,
    * etc. for when http requests are made.
@@ -784,6 +793,15 @@ function ConnectionConfig(options, validateCredentials, qaMode, clientInfo)
     return disableQueryContextCache;
   }
 
+  /** 
+   * Returns whether idToken cache is enabled or not by the configuration
+   *
+   * @returns {Boolean}
+   */
+  this.getConsentCacheIdToken = function () {
+    return getConsentCacheIdToken
+  }
+
   /**
    * Returns the client config file
    *
@@ -793,6 +811,7 @@ function ConnectionConfig(options, validateCredentials, qaMode, clientInfo)
     return clientConfigFile;
   };
 
+
   // save config options
   this.username = options.username;
   this.password = options.password;

lib/constants/error_messages.js

@@ -68,6 +68,7 @@ exports[404040] = 'Invalid browser timeout value. The specified value must be a
 exports[404041] = 'Invalid disablQueryContextCache. The specified value must be a boolean.';
 exports[404042] = 'Invalid includeRetryReason. The specified value must be a boolean.'
 exports[404043] = 'Invalid clientConfigFile value. The specified value must be a string.';
+exports[404044] = 'Invalid consentCacheIdToken. The specified value must be a boolean.'
 
 // 405001
 exports[405001] = 'Invalid callback. The specified value must be a function.';

lib/errors.js

@@ -73,6 +73,7 @@ codes.ERR_CONN_CREATE_INVALID_BROWSER_TIMEOUT = 404040;
 codes.ERR_CONN_CREATE_INVALID_DISABLED_QUERY_CONTEXT_CACHE = 404041
 codes.ERR_CONN_CREATE_INVALID_INCLUDE_RETRY_REASON =404042
 codes.ERR_CONN_CREATE_INVALID_CLIENT_CONFIG_FILE = 404043;
+codes.ERR_CONN_CREATE_INVALID_CONSENT_CACHE_ID_TOKEN =404044
 
 // 405001
 codes.ERR_CONN_CONNECT_INVALID_CALLBACK = 405001;

lib/global_config.js

@@ -125,9 +125,9 @@ exports.getOcspResponseCacheMaxAge = function ()
  *
  * @returns {string}
  */
-exports.mkdirCacheDir = function ()
+exports.mkdirCacheDir = function (envPath)
 {
-  let cacheRootDir = process.env.SF_OCSP_RESPONSE_CACHE_DIR;
+  let cacheRootDir = envPath;
   if (!Util.exists(cacheRootDir))
   {
     cacheRootDir = os.homedir();

lib/parameters.js

@@ -61,6 +61,7 @@ names.JS_TREAT_INTEGER_AS_BIGINT = 'JS_TREAT_INTEGER_AS_BIGINT';
 names.CLIENT_STAGE_ARRAY_BINDING_THRESHOLD = 'CLIENT_STAGE_ARRAY_BINDING_THRESHOLD';
 names.MULTI_STATEMENT_COUNT = 'MULTI_STATEMENT_COUNT';
 names.QUERY_CONTEXT_CACHE_SIZE = 'QUERY_CONTEXT_CACHE_SIZE';
+names.CLIENT_CONSENT_CACHE_ID_TOKEN = 'CLIENT_CONSENT_CACHE_ID_TOKEN';
 
 var parameters =
   [
@@ -113,6 +114,13 @@ var parameters =
         value: 5,
         desc: 'Query Context Cache Size'
       }),
+    new Parameter(
+      {
+        name: names.CLIENT_CONSENT_CACHE_ID_TOKEN,
+        value: false,
+        desc: 'Whether the SSO Token caching is enabled or not'
+      }
+    ),
   ];
 
 // put all the parameters in a map so they're easy to retrieve and update

package.json

@@ -25,6 +25,7 @@
     "glob": "^7.1.6",
     "https-proxy-agent": "^5.0.1",
     "jsonwebtoken": "^9.0.0",
+    "keytar": "^7.9.0",
     "mime-types": "^2.1.29",
     "mkdirp": "^1.0.3",
     "moment": "^2.29.4",
@@ -80,4 +81,4 @@
     "url": "https://www.snowflake.com/"
   },
   "license": "Apache-2.0"
-}
+}

test/unit/authentication/secureStorage_test.js

@@ -0,0 +1,44 @@
+const assert = require('assert');
+const keytar = require('keytar');
+const SecureStorage = require('../../../lib/authentication/secureStorage');
+const { randomUUID } = require('crypto');
+
+describe('Secure Storage Test', function () {
+  const host = 'mock_test';
+  const user = 'mock_user';
+  const credType = 'MOCK_CREDTYPE';
+  const randomPassword = randomUUID();
+  const userNameForStorage = SecureStorage.buildTemporaryCredentialName(host, user, credType);
+
+  async function findCredentialFromStorage (userName, password){
+    const credentialList = await keytar.findCredentials(host);
+    const result =  credentialList.some((element) => {
+      return element.account === userName && element.password === password;
+    });
+    return result;
+  }
+
+  it('test build user name', function (){
+    assert.strictEqual(userNameForStorage,
+      '{MOCK_TEST}:{MOCK_USER}:{SF_NODE_JS_DRIVER}:{MOCK_CREDTYPE}'
+    ); 
+  });
+
+  it('test - write the mock credential in Local Storage', async function () {
+    await SecureStorage.writeCredential(host, user, credType, randomPassword);
+    const result = await findCredentialFromStorage(userNameForStorage, randomPassword);
+    assert.strictEqual(result, true);
+  });
+
+  it('test - read the mock credential in Local Stoage', async function () {
+    const savedPassword = await SecureStorage.readCredential(host, user, credType);
+    assert.strictEqual(savedPassword, randomPassword);
+  });
+
+  it('test - delet the mock credential in Local Storage', async function () {
+    await SecureStorage.deleteCredential(host, user, credType);
+    const result = await findCredentialFromStorage(userNameForStorage, randomPassword);
+    assert.strictEqual(result, false);
+  });
+});
+

test/unit/connection/connection_config_test.js

@@ -536,6 +536,18 @@ describe('ConnectionConfig: basic', function ()
         },
         errorCode: ErrorCodes.ERR_CONN_CREATE_INVALID_INCLUDE_RETRY_REASON,
       },
+      {
+
+        name: 'invalid consentCacheIdToken',
+        options:
+        {
+          username: 'username',
+          password: 'password',
+          account: 'account',
+          consentCacheIdToken: 'invalid'
+        },
+        errorCode: ErrorCodes.ERR_CONN_CREATE_INVALID_CONSENT_CACHE_ID_TOKEN,
+      },
       {
         name: 'invalid clientConfigFile',
         options: {